Under the subject of “I sat through an FTC seminar on COPPA compliance for kids apps so you didn’t have to”, here are some salient points as it relates to our kid app work.
These are the key take-aways from their 70+ FAQ write up (!) on the new law that goes into effect on July 1st.
Privacy Policy
- Privacy policy must be on app store page and app start screen and anywhere that info is collected.
- FTC recommends using this privacy policy generator tool (though I am unsure if their wizard has been adjusted to the new compliance rules)
Social media sites
- Must obtain parental consent to authorize features such as Facebook, Twitter, etc..
- For Bean Creative, this means that we cannot offer any social sharing in all future apps or update existing apps with these features after July 1.
Analytics
- Exception for collecting persistent ID support of internal operations (this means that you can use analytics for viewing in-app feature usage and such, but you must ensure that you use one that doesn’t exclude apps geared at kids under 13)
- A no-brainer, but you can’t use it if the analytics are using data to target ads by behavior
Photos/Videos of Children
- Child image or voice — if the picture or video stays on the device within the app and isn’t transmitted, then it’s not part of COPPA
- Can’t have geolocation or other persistent identifiers in photos/videos
- If you take photo on device, it will fall under COPPA if you use the app to do emailing…but if you let kid capture photo/video on device’s photo album, then they can choose to email/share from there and you’re not on the hook for COPPA.
Push Notifications
- Need to collect parent online contact info (would you believe that the statute doesn’t allow mobile phone numbers as a method for online contact?!)
- You must use email and contact them with details on your information practices and the opportunity to opt out
Parental consent methods
- Putting in app store password doesn’t count!
- From the FTC FAQ:
If you are going to use children’s personal information only for internal purposes – that is, you will not be disclosing the information to third parties or making it publicly available – then you can use any of the above methods or you can use the “email plus” method of parental consent. “Email plus” allows you to request (in the direct notice sent to the parent’s online contact address) that the parent indicate consent in a return message. To properly use the email plus method, you must take an additional confirming step after receiving the parent’s message (this is the “plus” factor). The confirming step may be:- Requesting in your initial message to the parent that the parent include a phone or fax number or mailing address in the reply message, so that you can follow up with a confirming phone call, fax or letter to the parent; or
- After a reasonable time delay, sending another message via the parent’s online contact information to confirm consent. In this confirmatory message, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to do so.
How will readying your apps and web experiences affect your end product? Let us know in the comments!